Transcription

2 Purpose of Testing: Strengthen DirectTrust Network New HISP to HISP connections generally result in minor interop issues Strong signaling from customer community about expectations for DirectTrust Network It should just work Customers cannot tolerate unpredictable failures 18 difference reference models (now more!) no two deployments of the RI are the same pairwise testing across this variety of systems reveals issues the TTT cannot not all HISPs perform MU2 certification Strong community of collaborators exists within DirectTrust history of connect-a-thon participation, good communication DirectTrust Network removes uncertainty in exchange through security policies, a common Certificate Profile, preliminary inspection by anchor bundle committee, removing incompatible certificates Interop testing can be performed on a continuous basis, with very little time commitment Demonstrate current level of success, take inventory of shortcomings Result: introduce essential points of contact at different HISPs Develop tools for improved onboarding of new HISPs moving forward 2

3 Purpose of Testing: Strengthen DirectTrust Network We re on each other s team --Lorde 3

6 Most Recent Interoperability Notes 14. SES reports considerable lag receiving cert over LDAP from Medicity 15. MHIN reports the following with respect to ICA: "This certificate cannot be verified up to a trusted certification authority." Upon reviewing the anchor certificate, an error was noted in the certificate: "The CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." 16. MHIN reports the following error message when attempting to send to Orion: "Please contact your system administrator; the following (s) are not set up properly and can't be sent to securely: 17. ICA CRL is out of date 18. San Diego Health Connect's (Resolved), HealtheConnections RHIO of CNY systems return "unknown address" for both Covisint test addresses 19. San Diego Health Connect's system returns Message from system: Certificate CN=direct.webmailtest2.orionhealthmail.info,O=Orion Health\, Inc.,L=Santa Monica,ST=California,C=US is not trusted. when attempting to send to Orion 20. Sender reports having requested but not received a Dispatched MDN from recipient 21. CareAccord reports "Cannot send from CareAccord, The public key certificate needs to be installed in to Medicity DNS or LDAP" Medicity is investigating issue with their LDAP server taking up to 15 seconds to respond. This is causing some HISPs to time out. CareAccord is one of them. 22. Updox MDN subject field consists of "Processed: [***** SPAM 5.4 *****]" 23. MDN not received; recipient (SES) does not support sending of Dispatched MDN at this time 24. server message size limit= , resent without payload 25. Medicity could not find HIXNY certificate may not support LDAP 26. Covisint investigating not being able to send to Medicity 27. Failed to find CA cert 28. Orion notes the following: The trust anchor CN=Orion Health Direct Secure Messaging Public HISP CA is signed by the trust anchor CN=Orion Health Direct Secure Messaging. Therefore, the trust anchor CN=Orion Health Direct Secure Messaging Public HISP CA should be trusted. 6

7 What s Behind the Numbers Great interop among most HISPs Reporting at 70% as of 4/7/14 22 HISPs testing out of 25 total 7

10 Key Findings: Areas for Improvement Tighten up MDN tolerances in general Add Dispatched MDN support Adhere to DT certificate profiles Develop a more mail server troubleshooting mindset When issues are found, make modifications to fix or accommodate 10

11 Action Items (1 of 2) Education Troubleshooting collaboration Documentation of interop challenges A new facet to our community of best practices High degree of willingness to participate Technical Resources Sometimes code fixes take a few days; some have taken a couple of months Some HISPs have limited resources even for the testing; still, progress continues pretty much across the board 11

12 Action Items (2 of 2) Adapting requirements to ensure better interoperability Accreditation is challenging today; even so, members would like to see interop requirements added Potential new accreditation criteria or guidance New test cases: handling MDNs with a few different common variations Minimum functionality requirements (e.g. ability to build AIA chains) System-wide adoption of Dispatched MDN capabilities More comprehensive certificate profile review as part of accreditation Update required evidence to reflect advances in MU2 testing tools. Interop testing requirements prior to accredited bundle participation 12

13 How to Perform Interop Testing Worksheet Color coded results If red/yellow, figure out how to get to green Read the Notes on the results matrix reports from other HISPs about the counter party HISP reports from other HISPs about you Other HISPs with a similar red/yellow pattern Check your mail server and STA logs If the message or MDN came in, where did it go? Leverage test environment to diagnose issues and test fixes Check the troubleshooting guide 13

15 Troubleshooting Guide: Sending & Receiving Errors Confirm your Direct address s certificate chains up to the right trust anchor Confirm your certs follow the DirectTrust Certificate Profile just like they did when you were approved by the trust bundle committee and update any old non-compliant certs. Confirm you are searching for certificates both in DNS and LDAP, and are reliably hosting in one or the other May need Java RI patch for AIA support if not at least agent (RI 3.0.1) Make sure you are issuing CRLs on schedule and not allowing them to become stale without updating Monitor uptime of all components of your system (SMTP, DNS, LDAP, STA) 15

16 Troubleshooting Guide: MDN Errors Confirm Dispatched MDNs supported by counter party Confirm MDN wasn t received and overlooked: check mail server Common issues: extra spaces, line breaks, > s, unexpected sender display name, NULL sender, MDN not encrypted/not a Direct message, lack of message ID. Check IG/RFCs to make sure you are requesting properly Ask recipient to confirm MDN was sent. Good protocol stewardship involves letting the counter party know if they are not in compliance with spec(s) OR adjusting your system to accept broader interpretations of specs, as appropriate. Help strengthen the network by sharing your findings, either way. Any notes submitted are added to the interop matrix and/or used to classify duplicate issues. Takeaway: generate MDN requests & responses as closely to specs as possible; accept/parse as broadly as possible, EXCEPT community convention is to override NULL sender specification. NULL MDN sender breaks TTT; some senders (as MDN recipients) can t process 16

17 General Observations: the Testing Process Interop Enthusiasm Some HISPs seem less responsive, but all generally distill interop results into greener and greener results over time Some HISPs send more messages than might be required. It s safe to assume they re troubleshooting. Interop testing etiquette: Send a message or two each month OR as part of regression testing OR if you are trying to diagnose a problem Explain in the subject or message body the intent of your test, whether a response is requested, and whether you would like to know that a certain attachment type(s) were readable Do not reply to all via Direct message or regular Arrange in advance a time to do performance testing with a counter party, in a mutually agreeable ecosystem such as both parties test environments 17

18 General Observations: Community Feedback Out-of-Network Service Parallel HISP or CA services offered by DTAAP Accredited or Candidate members outside of the DirectTrust network Customer confusion: most people think that if their HISP is a DirectTrust member or their certificate is from a DirectTrust CA that they should be able to interoperate with other HISPs in the DT network. Subsequent inability to interoperate is incorrectly attributed to failure of the DirectTrust network, diminishing the DirectTrust brand. 18

19 Next Steps What to test in next round of interop testing? Revoked certificates; lapsed CRLs Dispatched MDNs: DirectTrust will likely require support as of a due date TBD Should only be requested when required (per CLIA/lab reporting, for example) Handling multiple recipients any variations in deployments leading to decryption issues? CCDA and other payloads, possibly EHR to EHR & other than for payload confirmation tests, eliminate human reply component moving forward DNS, LDAP, SMTP related testing 19

TABLE OF CONTENTS INTRODUCTION USE CASES FOR CONVERSION BETWEEN DIRECT AND XDR Conversion from Direct SMTP+S/MIME Messages to XDR Conversion from XDR to SMTP+S/MIME Data Transmission between two EHRS that

Introduction MaxMD is pleased to provide the Pennsylvania ehealth Partnership Authority (Authority) the Business and Technical Requirements report under the Lab Grant pilot project. We have demonstrated

Maxum Development Corp. Rumpus launches fine, but users can t connect. What should I do? By far the most common problem people have when getting started with Rumpus is not with Rumpus at all, but in setting

Direct Secure Messaging Communicating in the Healthcare World Andy Nieto, Health IT Strategist, DataMotion Agenda Email and Direct in healthcare, a little history So what is Direct, really Certificates

Workflow Process Analysis Training Workbook August 2007 HIGHER EDUCATION What can we help you achieve? This documentation is proprietary information of SunGard Higher Education and is not to be copied,

CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

Course: 10233B: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 Description: About this Course This five-day, instructor-led course provides you with the knowledge and skills

SIP Trunk Interworking: How the SIP Forum is Improving Interoperability Between SIP-PBXs and Service Provider Networks David Hancock CableLabs John Berg CableLabs James Swan University of New Hampshire

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information Within the healthcare industry, the exchange of protected health information (PHI) is governed by regulations

1Introduction to VPN VPN Concepts, Tips, and Techniques There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But

How to Secure Your Email Address Books and Beyond Erhan J Kartaltepe, Paul Parker, and Shouhuai Xu p Department of Computer Science University of Texas at San Antonio Outline Email: A Brief Overview The

Elements of Email Email Components There are a number of software components used to produce, send and transfer email. These components can be broken down as clients or servers, although some components

IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

Managed IT Services System downtime, viruses, spyware, lost productivity; if these problems are impacting your business, it is time to make technology work for you. At ITS, we understand the importance

The Stage 2 Summary of Care objective (Core 15) involves 3 measures. The 3rd of these measures is that the provider satisfy one of the following: Conduct one or more successful exchanges of a summary of

Logi Ad Hoc Reporting Troubleshooting Scheduling Failure Version 10 Last Updated: April 2011 General Configuration Overview The execution and delivery of scheduled reports is one of the more complicated

Statement of Service Enterprise Services - MANAGE Microsoft IIS Customer Proprietary Rights The information in this document is confidential to Arrow Managed Services, Inc. and is legally privileged. The

Citi Secure Email Program Receiving Secure Email from Citi For External Customers and Business Partners Protecting the privacy and security of client information is a top priority at Citi. Citi s Secure

Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc. Domains All Domains System administrators can use this section

Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...

The Google Android Security Team s Classifications for Potentially Harmful Applications April 2016 Overview This document covers the Android Security Team s taxonomy for classifying apps that pose a potential

System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

Course 10165A: Updating Your Skills from Microsoft Exchange Server 2003 or Exchange Server 2007 to Exchange Server 2010 SP1 OVERVIEW About this Course There are two main reasons for the course. Firstly,

Configuring DoD PKI This document describes the procedures to configure an XML Firewall that is interoperable with the United Stated Department of Defense (DoD) Public Key Infrastructure (PKI). High-level

ICANWK401A Install and manage a server Release: 1 ICANWK401A Install and manage a server Modification History Release Release 1 Comments This Unit first released with ICA11 Information and Communications

Planning and Administering Windows Server 2008 Servers Course 6430 Five days Instructor-led Introduction Elements of this syllabus are subject to change. This five-day instructor-led course provides students

PHS-Connect Users Group Forum November 7, 2013 Agenda Introductions and Opening Remarks PHS-Connect Update Direction of PHS-Connect What can PHS-Connect Do for Me and My EMR Secure Messaging for MU2 and

WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

Electronic Mail Security CSCI 454/554 Email Security email is one of the most widely used and regarded network services currently message contents are not secure may be inspected either in transit or by

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian Digital Signature A Digital Signature is a data item that vouches the origin and the integrity of a Message The originator of a message uses

Multimedia Networking Principles Classify multimedia applications Identify the network services the apps need Making the best of best effort service Mechanisms for providing QoS Protocols and Architectures

Planning and Administering Windows Server 2008 Servers MOC6430 About this Course Elements of this syllabus are subject to change. This five-day instructor-led course provides students with the knowledge

VMware vsphere App HA 1.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

Expanded Support for Medicaid Health Information Exchanges Thomas Novak Medicaid Interoperability Lead Office of Policy Office of the National Coordinator for Health IT Medicaid Data & Systems Group Centers